Submitted by lewisjenkins on Tue, 03/26/2013 - 14:09
I have a multi-domain SSL cert installed on my primary domain.
In Virtualmin, when I create a new virtual server, and add SSL, it is creating a new ssl.cert and ssl.key in the new home directory. Which is sort of correct, except it's not using the multi-domain cert that is in use on the primary domain. I have to manually copy the ssl files to the new use directory.
On my other Virtualmin server, whenever I create a new virtual server and add SSL, the new domain automatically uses the same multi-domain SSL cert as the rest of the domains. No manual intervention required.
So I'm not sure what's different with this new server. Is there a default SSL setting somewhere?
Status:
Active
Comments
Submitted by JamieCameron on Tue, 03/26/2013 - 15:34 Comment #1
On the problem system, is the new domain being created on the same IP address as the existing domain with the UCC (multi-domain) cert?
Submitted by lewisjenkins on Wed, 03/27/2013 - 03:43 Comment #2
Yes. There is only 1 IP on the problem server.
Submitted by JamieCameron on Wed, 03/27/2013 - 12:38 Comment #3
If you select the domain that has the UCC cert and then go to Server Configuration -> Manage SSL Certificate, are all the other domains shown in the "Other domain names" field?
Submitted by lewisjenkins on Wed, 03/27/2013 - 16:40 Comment #4
Yes, all the domains are shown in the 'other domains' field. But only on the primary domain's SSL:
=========================Current SSL certificate details
SSL certificate file /home/web1.redcarrot.net/ssl.cert
SSL private key file /home/web1.redcarrot.net/ssl.key
Web server hostname redcarrot.co.uk Organization redcarrot.co.uk
Issuer name Go Daddy Secure Certification Authority Issuer organization GoDaddy.com, Inc.
Expiry date Jul 20 15:35:26 2013 GMT Certificate type Signed by CA
Other domain names redcarrot.co.uk | www.redcarrot.co.uk | gateway.routiers.co.uk | ns3.redcarrot.net | routiers.co.uk | ukfast.redcarrot.net | ukstreetscene.co.uk | www.bowlsonline.co.uk | www.canterburychurchshop.co.uk | www.credocare.co.uk | www.cvstudio.co.uk | www.dogtiredpyjamas.co.uk | www.homesupplies-direct.co.uk | www.kentautodevelopments.com | www.kurling.com | www.spareyourblushes.com | www.utterly-gorgeous.co.uk | www.wobblywardrobe.co.uk | ns1.nfwd.net | confectionperfection.co.uk | thirdcity.ns3.redcarrot.net | web1.redcarrot.net
Download certificate PEM format | PKCS12 format
Download private key PEM format | PKCS12 format
==============================
As an example, I have just tried creating a new domain 'test.com' and enabling SSL.
I get the usual warning, about 'SSL being enabled for more than one domain on the IP address' and 'Are you sure you want to continue', along with a list of all domains on the SSL (as listed above)
I press 'Yes, create Virtual Server'.
The server is created.
I browse to 'Server Configuration' > Manage SSL certificate.
The SSL cert is not the correct one. It appears to be self signed:
===================================Current SSL certificate details
SSL certificate file /home/test.com/ssl.cert
SSL private key file /home/test.com/ssl.key
Web server hostname *.test.com Issuer name *.test.com
Expiry date Mar 26 21:13:19 2018 GMT Certificate type Self-signed
Download certificate PEM format | PKCS12 format
Download private key PEM format | PKCS12 format
===================================
Lewis
Submitted by JamieCameron on Wed, 03/27/2013 - 22:35 Comment #5
I wouldn't expect test.com to share the SSL cert though, as it isn't in the "Other domain names" list. Only domains that are in that list will work properly.
I see that some of the domains in the list have a www prefix, like
www.spareyourblushes.com.. but there is no entry for the plain domain likespareyourblushes.com. This will cause Virtualmin not to select the cert.Submitted by lewisjenkins on Thu, 03/28/2013 - 04:25 Comment #6
OK, I now understand why 'test.com' didn't select the certificate. I didn't realise that Virtualmin was making that decision for me. Bad example.
However, the reason I even noticed this in the first place is that I tried to enable SSL for 'cvstudio.co.uk'. The cert has an entry for 'www.cvstudio.co.uk', so I would expect this to work, but it doesn't. The website has never used 'http://cvstudio.co.uk', and there is a 301 redirect in place to 'www.cvstudio.co.uk' for SEO purposes.
This goes for many of my sites which I'm bringing over from Plesk (ugh!) where this isn't an issue. You upload your SSL and 'make default for websites'. The SSL is attached to the IP, rather than any particular domain.
So, the question is, how do I install a cert for a 'www' site, without the extraneous need to have two cert entries for each domain? Is manual intervention always going to be required?
Submitted by JamieCameron on Thu, 03/28/2013 - 16:08 Comment #7
The next release of Virtualmin will fix this issue, by also making use of the www.domain cert if there is one.
Until then, there isn't really any work-around .. other than re-generating the cert to include the bare domain names.